資訊安全(簡稱資安)是企業營運與電腦化過程中一項重大挑戰。然而,在國內外層出不窮的資安事件探究下,無論是外界駭客入侵或內部機敏檔案有意或無意之流出行為,「資料盜竊、洩漏」問題,儼然已成為企業資安危害的最大隱憂。有別於大型企業耗費鉅資建置高階軟硬體設備防護機制之資料洩漏預防 (Data Loss/Leak Prevention, DLP)系統,本文針對中小型企業提出數位版權管理 (Enterprise Digital Rights Manager, EDRM) 之成功導入案例與實證研究,將EDRM系統搭配完善檔案權限、人員教育訓練、網路偵測與IT設備控管等管制措施,在不須改變使用者操作模式之下,同樣可滿足資料保密、管制、檔案流向追蹤等功能訴求,達到中小型企業DLP階段目標和預期效益。 在微利時代的產業生態鏈中,本研究實現EDRM系統成為中小型企業低負擔、高效益與高成功率的資安防護系統。在效益評估階段,分別以資料安全性、資料保密性及企業資安能力等構面來印證系統成效。研究結果顯示,EDRM系統可滿足中小型企業DLP需求,亦能符合資訊安全管理系統認證ISO 27001規範之C.I.A (Confidentiality機密性、Integrity完整性、Availability可用性) 三項目標,提升了企業競爭力與鞏固企業地位。本研究可提供中小型企業導入EDRM系統之參考。
Information security is a major task in the business operations and computerization process. However, under the investigation of an endless number of internal and external security incidents at home and abroad, the issue of “theft and leakage of information” in confidential and sensitive files has become the biggest concern for corporate security protection. Differs from the Data Loss/Leak Prevention (DLP) system in which large enterprises spend huge sums of money to build high-level software and hardware protection mechanisms. This paper presents the successful implementation of the Enterprise Digital Rights Management (EDRM) for Small-and-Medium Enterprises (SMEs). EDRM systems is used to improve the managements, such as file permissions, personnel training, network detection, and device control, under without changing user daily operation process. It can still satisfy data confidentiality, audit, file flow and tracking etc., functional appeals. Achieve the DLP stage goals and expected benefits for SMEs. In the industrial ecological chain of the low-profit era, this study achieved that the EDRM system has become an effective DLP protection strategy for SMEs. At the benefit evaluation stage, the effectiveness of the system was demonstrated by data security, data confidentiality, and corporate security capabilities. The research results show that the EDRM system can meet the DLP requirements of corporate executives and meet the three objectives of the C.I.A (Confidentiality, Integrity, Availability) of the information security specification, which enhances the competitiveness of enterprises and strengthens their corporate position.